Escolar Documentos
Profissional Documentos
Cultura Documentos
Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data cardholder data
3. 4.
5. 6. 7. 8. 9.
10. Track and monitor all access to network resources and 11. Regularly test security systems and processes
Maintain an information security 12. Maintain a policy that addresses information security for all policy personnel The PCI DSS standard uses these 12 tenets to define how companies should secure their systems, both technical and social.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide OL-13453-01
2-1
PCI DSS 2.0New Reporting Guidelines PCI DSS 2.0New Reporting Guidelines
Assess
Report
Remediate
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
2-2
290856
OL-13453-01
Chapter 2
PCI and the Solution Framework Cardholder Data Environment and Scope
A good model to adopt is one that looks at the full spectrum of time for maintaining and simplifying compliance:
Future: Become compliantWhat is the current state of the organization compared to the compliant state? What changes are needed to reach a state of compliance? Is there a new standard on the horizon or are there pending changes to the organization that might affect the state of compliance? Are there new store openings or mergers? What preparations are needed, both from a technical and process perspective, to account for maintaining compliance? Present: Know that you are still compliantWhat tools are being used to recognize that the organization is in a state of compliance? Are there application dashboards that are succinctly developed to provide a current state of compliance? Is there a department or set of departments that own this state? Are there accurate diagrams and documentation for the full scope of the company that is within the scope of compliance? Past: What happened to the compliance?Did someone in the organization turn rogue? Did someone from the outside break in? Did someone fatfinger a command? Who did? How can you account for what systems are in scope and gain forensic knowledge to account for who is doing what?
This solution is designed to provide the tools and design practices to help answer these questions.
Data Element Primary account number (PAN) Cardholder Data Account Data Cardholder name Service code Expiration date Full magnetic stripe data Sensitive Authentication Data CAV2/CVC2/ CVV2/CID PIN/PIN block
Render Stored Account Data Unreadable per Requirement 3.4 Yes No No No Cannot store per Requirement 3.2 Cannot store per Requirement 3.2 Cannot store per Requirement 3.2
Wherever the data that corresponds to the fields in Table 2-2 are present in your organization, the appropriate measures must be taken to secure them.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide OL-13453-01
2-3
Scope Maintenance
Documenting all known applications, their services, and systemic requirements from source to destination is required to fully understand the true range of the scope. This also provides a baseline to compare against for the ongoing requirement to ensure that scope does not unknowingly increase. This is also the area to apply that dose of skepticism. As the applications that are involved with payment card information are catalogued, determine whether any of the functionality can be maintained while removing sensitive data. New PCI DSS 2.0 language has been added to clarify the merchants responsibility to discover and validate the PCI DSS scope within their environment, through a formally documented methodology.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
2-4
OL-13453-01
Chapter 2
From the PCI DSS 2.0 standard (page 10 under Scope of Assessment for Compliance with PCI DSS Requirements): The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:
The assessed entity identifies and documents the existence of all cardholder data in their
environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
Once all locations of cardholder data are identified and documented, the entity uses the results
to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
The entity considers any cardholder data found to be in scope of the PCI DSS assessment and
part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
The entity retains documentation that shows how PCI DSS scope was confirmed and the results,
for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity. Changes to personnel, additions of new systems, addition of new stores, removal of obsolete accounts or systems, and anything else that affects the state of compliance should be exposed as a factor in a retailers compliance maintenance program. Monitoring which applications are accessing sensitive data and through which infrastructure systems must be updated on a regular basis. The PCI standard does not specify a method, so merchants can determine the best methods for their specific situations. One option to comprehensively discover sensitive cardholder data is through the RSA Data Loss Prevention (DLP) Suite, which can accurately identify the location and flow of cardholder data throughout an environment. After files with sensitive information are identified and classified, they can be copied, moved, archived, deleted, or secured based on policy. The RSA DLP Suite is available in three modules:
RSA DLP Datacenter can identify cardholder data and enforce policies across file shares, databases, storage systems (SAN/NAS), Microsoft SharePoint sites, and other data repositories. RSA DLP Network can identify cardholder data and enforce policies across corporate e-mail systems, web-based e-mail systems, instant messaging, and web-based protocols. RSA DLP Endpoint can identify cardholder data and enforce policies for such data stored or in use on laptops and desktops.
Each DLP module is centrally managed by the RSA DLP Enterprise Manager, a single browser-based management console. The RSA DLP Enterprise Manager offers dashboard, incident workflow, reporting, policy administration, and systems administration functionality. Freeware applications such as the following can also be used to help document where your sensitive data resides:
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide OL-13453-01
2-5
Point-of-Sale
Point-of-sale applications in the store are the obvious candidates for documenting. Others include applications that access and use this sensitive information for other business processes. For example, customer relation management (CRM) applications are sometimes commingled with their customers credit card data for customer data mining.
Voice
Voice systems are not specifically called out in the standard. However, the standard is clear that entities must secure all systems that transmit cardholder data. Therefore, your entire voice system may be in scope depending on how sensitive data is being used. Are you taking phone payments? Are you recording sensitive data in a contact center? Are you using applications that take cardholder data over interactive voice response systems? Cisco phones have built-in Ethernet interfaces that can be used to connect to downstream registers. This saves wiring costs but puts the phone into scope, because it is now a system transmitting cardholder data.
Physical
Video surveillance systems that monitor the sensitive areas such as wiring closets within stores are considered to be part of the scope of compliance because they can document who had access to a sensitive physical area. Administrators of these systems are also considered to be in scope.
E-mail
Cisco does not recommend taking credit card payment information using e-mail. However, if this does occur, e-mail systems and clients would all be in scope.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
2-6
OL-13453-01
Chapter 2
Scope Administration
Any piece of hardware that transmits sensitive data is considered to be in scope. Therefore, administration of those devices brings those administrative applications and administrators into scope.
People
Administrators who have access to the systems that process, transmit, or store sensitive data are also in scope. Strive to limit access to business need-to-know personnel. Clear role definitions can greatly reduce the population that can compromise your company by removing access for people that really do not require access to do their jobs. Approximately one-third of the breaches that occurred in 2009 were from internal personnel (2010 Verizon IBR). Restrict the administrative rights of your personnel to access systems that have sensitive data by allowing administrators privileges based only on the need-to-know. This can dramatically reduce the risk to your company and in event of a breach, reduce the range of candidates for a post-breach audit.
Processes
PCI compliance is typically not the only standard that must be addressed. Design your security policy to be as streamlined and efficient as possible while maintaining flexibility for other compliance regulations. Examples of common overlapping compliance standards include Sarbanes Oxley or the Health Insurance Portability and Accountability Act (HIPAA). When developing an efficient holistic security policy, processes must be designed to minimize overall complexity for issues such as change control and administrative access and procedures.
Monitoring
Tools that provide the following monitoring capabilities are in scope:
Real-time anomalous behavior Historical forensic analysis Configuration analysis to enforce template standards
Infrastructure
The physical infrastructure involved with the card data environment needs to be considered from an end-to-end perspective. Traditional components include firewalls, switches, routers, wireless access points, network appliances, and other security devices. Virtualization components such as virtual switches/routers, virtual appliances, and hypervisors that store, process, or transmit cardholder data are also in scope. Not all of the systems are obvious. Sometimes devices such as load balancers, WAN application acceleration devices, or content engines are overlooked and can be a source of compromise because these devices were not considered.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide OL-13453-01
2-7
Architectural Sampling
One of the methods for reducing complexity is to standardize on architectures. For example, if you are able to replicate a standardized build across systems within the store, auditors can take a sample of the total population of stores rather than having to audit every single store. However, a common misperception is that only the stores that are audited are in scope. All branches are assumed to follow exactly the same build and procedures to use a sampling method. Be clear that in the event of a breach, a post audit will determine whether proper controls were applied across all branches. If this is found not to be the case, the merchant may be liable for litigation.
Partners
Any business partner that connects to your network with access to sensitive data needs to be PCI compliant. There must be a signed agreement for culpability that designates responsibility and demarcation between the two companies.
Service Providers
Any service provider that connects to your network with access to sensitive data needs to be PCI compliant. There must be a signed agreement for culpability that designates responsibility and demarcation between the two companies.
Internet
The Internet is a large public network that introduces a host of threats. Wherever direct Internet access is available, it should be considered a perimeter requiring a firewall and IDS/IPS technology to secure that access.
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
2-8
OL-13453-01
Chapter 2
Figure 2-2
Point of Sale: Servers, and Applications Voice: Phones and Contact Center Applications Email : Data Loss Prevention Physical : Surveillance and Badge Access
Services
Scope Administration
Authentication Management
Encryption Monitoring
Store
Infrastructure
Network: Routers, Switches, and Wireless Security: Firewalls and Intrusion Detection
290279
The Cisco PCI Solution for Retail 2.0 framework is used throughout this guide as a model.
Scope Administration
This layer of the solution addresses areas of PCI compliance that affect the CDE at an administrative layer. It is defined by how systems are accessed (management and authentication), where sensitive data resides or is stored (encryption), and how alerts to this environment are used (monitoring).
Infrastructure
This layer of the solution framework addresses the infrastructure components such as routers, switches, firewalls, and security components.
Services
Services for designing, implementing, and auditing can be found from both Cisco and Verizon Business at the following URLs:
Ciscohttp://www.cisco.com/en/US/products/svcs/services_area_root.html Verizonhttp://www.verizonbusiness.com/Products/security/
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide OL-13453-01
2-9
Cisco PCI Solution for Retail 2.0 Design and Implementation Guide
2-10
OL-13453-01